Data Protection

Privacy Policy

Last updated: 8 May 2026

1. Joint controllers

AlmaTosca is a joint project run by two joint controllers within the meaning of Article 26 GDPR and Article 5(7) nFADP:

SwissCodex GmbH
Corso San Gottardo 6b
Chiasso, Ticino, Switzerland
Email: info@swisscodex.ch
Role: technical development, hosting, and maintenance of the Site.
New Target SA
Via G. Calgari 2
6900 Lugano, Switzerland
Company no.: CHE-453.276.583
Email: info@newtarget.ch
Role: receipt and handling of enquiries submitted via the Site's contact form.

For any request regarding the processing of personal data — including the exercise of rights under the nFADP and the GDPR — please contact the single point of contact: privacy@almatosca.ch.

No Data Protection Officer (DPO) has been appointed, as the conditions for mandatory designation set out in Article 37 GDPR and Article 10 nFADP are not met.

2. Scope

This privacy policy applies exclusively to the corporate website almatosca.ch (hereinafter "Website"), which serves informational purposes and presents AlmaTosca's services.

3. Legal basis and territorial scope

The processing of personal data is carried out in accordance with:

  • The new Swiss Federal Act on Data Protection (nFADP), in force since 1 September 2023;
  • The General Data Protection Regulation (GDPR) of the EU/EEA, applicable to visitors of the Website from the European Union and the European Economic Area.

AlmaTosca offers its services commercially exclusively to business customers established in Switzerland. For this reason, no EU representative has been appointed pursuant to Article 27 GDPR. GDPR rights nonetheless remain guaranteed to EU/EEA visitors of the Website pursuant to Article 3(2)(b) GDPR (analytics cookies, exercise of rights, complaint to supervisory authority).

4. Joint controllership

SwissCodex GmbH and New Target SA act as joint controllers within the meaning of Article 26 GDPR and Article 5(7) nFADP. The allocation of roles and responsibilities is as follows:

  • SwissCodex GmbH — design, development, hosting, maintenance, and technical security of the Website; management of integrations with third-party services (analytics, cookie consent, email); definition of technical and organisational security measures;
  • New Target SA — receipt and handling of enquiries submitted via the Site's contact form.

The joint controllers have entered into an internal agreement governing their respective obligations and responsibilities regarding data protection. This document, together with the single point of contact privacy@almatosca.ch, makes the essence of the agreement available to data subjects. The data subject may exercise their rights vis-à-vis and against each of the joint controllers, indistinctly.

5. Cookies and tracking technologies

The Site uses cookies and similar technologies to ensure its operation, analyse traffic, and improve user experience. All non-strictly necessary cookies are installed only after explicit consent, collected via the banner displayed on the first visit.

5.1 Third-party services used

  • Google Fonts (Google LLC) — loading of typographic fonts. Data transfer: USA, covered by Standard Contractual Clauses.
  • Google Analytics 4 (Google LLC) — anonymous statistical analysis of traffic. Configured with IP anonymisation and Google Consent Mode v2: data is collected only after consent and in aggregated form. Data transfer: USA, covered by Standard Contractual Clauses.

5.2 Consent management

The user may accept, refuse, or customise cookie consent via the banner shown on the first visit, or reopen the preferences panel at any time (icon at the bottom right). Consent is stored and can be revoked at any time.

5.3 Full Cookie Policy

For the detailed list of cookies, purposes, retention periods, and providers, please refer to our full Cookie Policy.

5.4 Other technologies

The Site also uses the browser's sessionStorage to manage access during the current session. SessionStorage is not a cookie, is not transmitted to the server, and is automatically deleted when the browser tab is closed.

6. Data collected via the Website

6.1 Contact form

The Website features a contact form that allows visitors to send informational or commercial enquiries. The data entered (name, email, subject, message) is transmitted by email to info@almatosca.ch via the SMTP server of Infomaniak Network SA (host of the almatosca.ch domain) and is not stored in any database.

The legal basis for processing is the legitimate interest of the joint controllers in responding to enquiries from potential customers, as well as — where the request relates to a possible commercial relationship — the performance of pre-contractual measures at the request of the data subject (Article 6(1)(b) GDPR).

6.2 Navigation data

The web server (managed by OVH SAS) automatically logs standard technical data (IP address, date and time of access, pages visited, browser type, HTTP response code). This data is used exclusively to ensure the technical operation, security, and diagnostics of the Site, and is not cross-referenced with other personal data.

7. Processors and providers

For the technical operation of the Site, the joint controllers rely on the following providers, qualified as processors or sub-processors within the meaning of Article 28 GDPR:

  • OVH SAS (France) — hosting of the web server and storage of nginx logs;
  • Infomaniak Network SA (Switzerland) — management of the almatosca.ch domain and SMTP relay for the contact form;
  • iubenda S.r.l. (EU) — cookie banner, storage of consent records, and hosting of the cookie policy;
  • Google LLC / Google Ireland Ltd. (EU / USA) — Google Fonts (font rendering) and Google Analytics 4 (aggregated statistics), with Standard Contractual Clauses and adherence to the Data Privacy Framework.
  • Cloudflare, Inc. (USA) — Turnstile service for anti-bot verification of the Site's contact and tasting forms. When the form is submitted, a verification token and the visitor's IP address are transmitted to Cloudflare. Cloudflare adheres to the EU-US Data Privacy Framework and applies Standard Contractual Clauses for transfers to the USA.

Each provider is contractually bound to comply with applicable data protection regulations. This list may evolve; any updates will be reflected in this document.

8. Data transfers

Personal data collected via the Site is primarily processed within Switzerland and the European Economic Area (EEA).

Some third-party services listed in sections 5 and 7 (Google Fonts, Google Analytics 4) may involve data transfers to the United States of America. In such cases, the transfer takes place on the basis of adequate protection safeguards provided for by the nFADP and the GDPR, in particular:

  • Standard Contractual Clauses approved by the European Commission;
  • Adherence to the EU-US Data Privacy Framework, where applicable;
  • Supplementary technical measures such as pseudonymisation and anonymisation (e.g. IP anonymisation in Google Analytics 4).

Personal data is not sold, transferred, or disclosed to third parties for marketing purposes.

9. Retention periods

Personal data collected via the Site is retained only for the time strictly necessary for the purposes for which it was collected, according to the following criteria:

  • Emails received via the contact form: retained for a maximum of 24 months from receipt, unless the contact develops into a contractual relationship; in the latter case, the retention periods provided for by the commercial relationship and applicable Swiss tax and accounting law (Art. 958f CO) apply;
  • Web server technical logs: 90 days maximum;
  • Google Analytics 4 data: 14 months (default setting), in aggregated and anonymised form;
  • Cookies and consent preferences: in accordance with the retention periods specified in the Cookie Policy.

At the end of the indicated retention periods, data is deleted or irreversibly anonymised.

10. Rights of the data subject

In accordance with the Swiss nFADP and the GDPR, you have the right to:

  • Access: request confirmation of processing and obtain a copy of your personal data;
  • Rectification: request the correction of inaccurate or incomplete data;
  • Erasure: request the deletion of your personal data, where applicable;
  • Data portability: receive your data in a structured, commonly used, and machine-readable format;
  • Objection: object to the processing on grounds relating to your particular situation;
  • Restriction: request the restriction of processing in certain circumstances;
  • Withdrawal of consent: withdraw consent given for consent-based processing (in particular analytics cookies) at any time, without affecting the lawfulness of processing carried out before withdrawal. For cookies, the consent panel can be reopened at any time via the icon at the bottom right of the Site;
  • Complaint to the supervisory authority: file a complaint with the competent authority (see section 13).

To exercise these rights, please write to the joint controllers' single point of contact: privacy@almatosca.ch. The joint controllers will respond without undue delay and in any case within 30 days of receipt of the request.

11. Automated decision-making and profiling

No automated decision-making or profiling activities producing legal effects significantly affecting the data subject are carried out, within the meaning of Article 22 GDPR and Article 21 nFADP. The statistical analyses carried out via Google Analytics 4 are aggregated and anonymised and are not used to make decisions concerning individuals.

12. Data security

The Site is built with static technology (Astro) and does not store personal data in any of its own databases. The joint controllers nonetheless take appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of personal data processed, in compliance with the requirements of the nFADP and the GDPR. In particular:

  • traffic encryption via HTTPS/TLS (Let's Encrypt certificate) on both almatosca.ch and www.almatosca.ch;
  • segregation of administrative server access and SSH key-based authentication;
  • rotation and limitation of access logs (90 days maximum);
  • regular updates of the web server (nginx) and operating system;
  • oversight of third-party providers via data processing agreements and selection of providers with recognised security certifications.

13. Supervisory authority

You have the right to lodge a complaint with the competent supervisory authority. In particular:

  • For Swiss residents: Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch;
  • For EU/EEA residents: the data protection authority of your country of residence.

14. Changes to this policy

SwissCodex GmbH and New Target SA, as joint controllers, reserve the right to update this privacy policy at any time to reflect regulatory, technical, or organisational changes. Substantial changes will be communicated to users with reasonable advance notice. The date of the last update is indicated at the top of the document.